CVE-2024-21511
published 2024-04-23CVE-2024-21511: Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the…
PriorityP356critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.03%
59.3th percentile
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sidorares | mysql2 | >= 0 < 3.9.7 | 3.9.7 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MySQL2 for Node Arbitrary Code Injection
ghsa·2024-04-23
CVE-2024-21511 [CRITICAL] CWE-94 MySQL2 for Node Arbitrary Code Injection
MySQL2 for Node Arbitrary Code Injection
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
OSV
MySQL2 for Node Arbitrary Code Injection
osv·2024-04-23
CVE-2024-21511 [CRITICAL] MySQL2 for Node Arbitrary Code Injection
MySQL2 for Node Arbitrary Code Injection
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Red Hat
mysql2: Arbitrary Code Injection due to improper sanitization of the timezone parameter
vendor_redhat·2024-04-23·CVSS 9.8
CVE-2024-21511 [CRITICAL] CWE-94 mysql2: Arbitrary Code Injection due to improper sanitization of the timezone parameter
mysql2: Arbitrary Code Injection due to improper sanitization of the timezone parameter
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
A flaw was found in the MySQL2 npm package. Affected versions of this package are vulnerable to arbitrary code injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Package: rhdh-operator-container (Red Hat Developer Hub) - Not affected
Package: rhdh/rhdh-hub-rhel9 (Red Hat Developer Hub) - Not affected
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713https://github.com/sidorares/node-mysql2/pull/2608https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713https://github.com/sidorares/node-mysql2/pull/2608https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046
2024-04-23
Published